Authentication and Access Control for Amazon CloudWatch Events

Access to Amazon CloudWatch Events requires credentials that AWS can use to authenticate your requests.
Those credentials must have permissions to access AWS resources, such as retrieving event
data from other AWS resources. The following sections provide details on how you can use
AWS Identity and Access Management (IAM) and CloudWatch Events to help
secure your resources by controlling who can access them:

Authentication

You can access AWS as any of the following types of identities:

AWS account root user – When you sign up
for AWS, you provide an email address and password that is associated with your AWS
account. These are your root credentials and they provide
complete access to all of your AWS resources.

Important

For security reasons, we recommend that you use the root credentials only
to create an administrator user, which is an
IAM user with full permissions to your AWS account.
Then, you can use this administrator user to create other IAM users and
roles with limited permissions. For more information, see IAM Best
Practices and Creating an
Admin User and Group in the
IAM User Guide.

In addition to a user name and password, you can also generate access keys for
each user. You can use these keys when you access AWS services programmatically,
either through one of the several
SDKs or by using the AWS Command Line Interface
(AWS CLI). The SDK and CLI tools use the access keys to
cryptographically sign your request. If you don’t use the AWS tools, you must
sign the request yourself. CloudWatch Events supports Signature
Version 4, a protocol for authenticating inbound API requests.
For more information about authenticating requests, see Signature Version 4 Signing
Process in the AWS General Reference.

IAM role – An IAM role is another IAM identity
you can create in your account that has specific permissions. It is similar to
an IAM user, but it is not associated with a specific
person. An IAM role enables you to obtain temporary access keys that can be
used to access AWS services and resources. IAM roles with temporary
credentials are useful in the following situations:

Federated user access – Instead of
creating an IAM user, you can use preexisting user identities from AWS Directory Service,
your enterprise user directory, or a web identity provider. These are known
as federated users. AWS assigns a role to a federated
user when access is requested through an identity provider.
For more information about federated users, see Federated Users and Roles in the
IAM User Guide.

AWS service access – You can use an
IAM role in your account to grant an AWS service permissions to access
your account’s resources. For example, you can create a role that allows
Amazon Redshift to access an Amazon S3 bucket on your behalf and then load data
stored in the bucket into an Amazon Redshift cluster. For more information, see
Creating
a Role to Delegate Permissions to an AWS Service in the
IAM User Guide.

Applications running on Amazon EC2 –
Instead of storing access keys within the EC2 instance for use by
applications running on the instance and making AWS API requests, you
can use an IAM role to manage temporary credentials for these
applications. To assign an AWS role to an EC2 instance and make it
available to all of its applications, you can create an instance profile
that is attached to the instance. An instance profile contains the role
and enables programs running on the EC2 instance to get temporary
credentials. For more information, see Using Roles
for Applications on Amazon EC2 in the
IAM User Guide.

Access Control

You can have valid credentials to authenticate your requests, but unless you have
permissions you cannot create or access CloudWatch Events resources. For example, you must have
permissions to invoke AWS Lambda, Amazon Simple Notification Service (Amazon SNS), and Amazon Simple Queue Service (Amazon SQS) targets
associated with your CloudWatch Events rules.

The following sections describe how to manage permissions for CloudWatch Events. We recommend that
you read the overview first.